SCADAPack E Security Technical Reference

(1)

(2)

AGA12 Gateway RTU: An SCADAPack E RTU operating mode that performs encoding and decoding between cleartext and ciphertext on behalf of other nodes in the network. Commonly used to interface a secure AGA12 network to a cleartext master station. The DNP3 Host uses the AGA12 gateway feature of a SCADAPack ES to encypt plain text DNP3 messages frong from the Host to the RTUs in the field. The same gateway decrypts the cipher text messages coming back from the field RTUs to the Host.

AGA12 Node: A device providing SCADA Cryptographic Module (SCM) services in order to receive and transmit secure data to the AGA12-2 standard.

Authentication: A challenge and reply exchange between two devices that provides them both with confidence that the other device is who it claims to be.

Authority: An independent entity holding and providing security credentials. The SCADAPack E

Security Administrator application is an example of a simple authority.

Challenger: A device attempting to authenticate that a partner device is who it claims to be. See also Responder .

Cipher Suite: A set of cryptographic algorithms, keys, and parameters identified by a cipher suite number. The AGA12 virtual SCM within each RTU maintains a mapping of every static session and every open dynamic session to a cipher suite (see also session )

Cipher text: Transmitted or received data that has been encoded (see also encoding )

Cipher text Port: In the context of SCADAPack E RTUs, this is a communications port supporting ciphertext DNP3. In the case of a AGA12 Gateway RTU, a ciphertext port may also support cleartext DNP3 when operating in mixed mode.

Clear Device Port: Applies to SCADAPack E AGA12 Gateway RTU only (see AGA12 Gateway ). This port receives DNP3 data in cleartext and encodes it for transmission on a ciphertext port. A clear device port transmits cleartext DNP3 data after it has been decoded from reception on a ciphertext port.

Cleartext: Data that has not been encoded (see also encoding ). It may be received data, that is to be transmitted ‘in-the-clear,’ data that is yet to be encoded, or data that is already decoded .

Common Key: A cryptographic key value that is used amongst multiple entities to allow inter-operation. e.g. a Group of controllers, e.g. each Configurator node.

Counterpart: An associated AGA12 device that, together with this device, form a pair for secure data exchange.

CM: A Cryptographic Module (defined in the US Federal Information Processing Standard FIPS 140-2) is an electronic component that is placed in-line on a communications channel and affords cryptographic protection for the communications, including, but not limited to, encryption and authentication. The class of such electronic devices is sometimes referred to as “bump-in-the-wire”.

Decoding: The process of checking data is signed correctly (not tampered with) and extracting the original data from the obscured encrypted data. The algorithms for decoding are determined by the Cipher Suite and security keys. Decoding is one of the tasks carried out by the SCADAPack E RTU’s Virtual SCM receiving a message from another SCM. Also see Encoding

9 9 11 9 10 11 10 9 10 9 10

(10)

Decryption: Translating Cipher Text into Clear Text using a cryptographic key . I.e. converting obscured data back into the original useful data

Default Key: Pre-assigned key or key mode (typically a factory set key ) allowing devices to communicate "out-of-the-box". For good security, keys that are different from the default key should be used. In SCADAPack E refers to the security configuration mode for SCADAPack E Configurator keys (cf Common Key , Unique Key )

Encoding: The process of encrypting and signing data to ensure its contents are obscured and protected from tampering. The algorithms for Encoding are determined by the Cipher Suite and security keys. This is one of the tasks carried out by the SCADAPack E RTU’s Virtual SCM sending a message to another SCM.

Encryption: Translating Clear Text into Cipher Text using a cryptographic key . I.e. obscuring data so that it looks random in order to hide the content of the data. Also see Decryption

Key: In DNP3 Secure Authentication this is also known as the Update Key and encodes dynamic session keys for authenticating devices. In AGA12 this is also known as the Encryption Key (to distinguish it from the Mac Key) . The Key is the common secret held by a pair of devices used for obscuring data before transmission and retrieving data from obscured data stream.

Key Pair: the combination of the Key (encryption key) and Mac Key which as a pair form the common secret held by AGA12 counterpart devices (when the Cipher Suite uses both encryption and verification signing).

Local Access Port: A dedicated, local port supporting direct connection of a DNP3 configuration terminal for local maintenance of the RTU. For RTUs using AGA12, this is the only port that

communicates cleartext DNP3 and is for physically local access only. DNP3 Secure Authentication does not use the concept of a local access port on a controller (every port is secured).

Mac Key: This is the common secret held by a pair of devices and in used for digitally signing a data stream to ensure it has not been tampered with.In SCADAPack E this refers to one of the AGA12 key pairs .

Master Key: The master key customizes the controller security configuration file generated by the SCADAPack E Security Administrator application and is loaded into SCADAPack E RTUs that are to operate on a given customer network, or portion of a customer network.

Master Station Host: The device in a SCADA network that most remote devices report to. It typically initiates the majority of communication transactions in a network. In DNP3 Secure Authentication, the Master Station (Host) natively supports the Secure Authentication objects that are use the establish security with remote devices.

Mixed Mode: AGA12 Mixed Mode operation allows an SCM to simultaneously forward encrypted and unencrypted communications between SCADA equipment. This permits a SCADA master equipped with or connected to an SCM to communicate with a SCADA unit (e.g., RTU) that does not have an SCM. Mixed mode operation can be disabled. Mixed mode can be used for SCADAPack E AGA12 Gateway RTUs, and RTUs routing DNP3 cleartext.

Pass Phrase: In SCADAPack E the user enters this phrase to generate the Master Key for a system.

Responder: A device sending authentication information to a partner device in reply, to prove it is who it claims to be. See also Challenger .

SCM: A SCADA Cryptographic Module is a Cryptographic Module (CM) designed to or configured to operate on the communications channels between SCADA hosts and SCADA remote devices. SCADAPack E telemetry supports a Virtual SCM as part of its operating system firmware, rather than requiring an external (bump-in-the-wire) Electronic device.

9 9 10 10 9 11 9 9 10 10 10 10 10 9 9

(11)

SCM Configuration: Every SCM has various configuration parameters that include an SCM address, communication parameters, and static session information. SCADAPack E RTU Virtual SCMs can be configured through command line text entry, through a plug in media module (e.g. Compact Flash card on SCADAPack ES or SCADAPack ER), or through local USB peripheral communication port using SCADAPack E Configurator (SCADAPack 300E). The security files for Compact Flash card or SCADAPack E Configurator loading of the configuration is managed by a Windows® Security Administrator application.

SCM Address: SCADAPack E RTU’s Virtual SCM address is obtained directly from the device’s configured DNP3 node address. Every SCM on a shared or networked communications link needs to have a unique SCM address (and therefore unique DNP3 address). Addresses in the range 1 – 65519 are valid addresses for both DNP3 and SCM. Address 0 is not a valid SCADAPack E SCM address and can not be used as an SCADAPack E RTU DNP3 node address when using AGA12 security.

Security Administrator: The SCADAPack E application used by the person responsible for security administration in a network. This application is a type of security Authority that retains and provides security configuration files for the rest of the system. It should be operated by corporate level security administration personnel.

Session: A session is a bidirectional virtual communications channel established between a specific pair of devices. In the case of AGA12 on SCADAPack E RTUs, a session is established between each pair of SCADAPack E virtual SCM’s. A session has a type indicating it as static or dynamic. Static sessions have cryptographic and other parameters that are configured in SCM configuration data. Dynamic sessions have negotiated cryptographic parameters and vary with time and each message sent on the session. Management of sessions is one of the tasks carried out by the SCADAPack E RTU’s Virtual SCM. DNP3 similarly establishes a session for communication between two devices. Part of the DNP3 session's information includes DNP3 Secure Authentication information.

SSPP: SCADA Security Protection Protocol – Defined by the AGA12-2 standard. This is the technical name of the AGA12-2 protocol that transports session information and secured data between SCMs.

Unique Key: The SCADAPack E security mode requiring that SCADAPack E Configurator nodes be individually secured (optional).

Update Key: DNP3 Secure Authentication terminology for the secret key known to devices that communicate with each other.

9

(12)

5 Introduction

This document describes Integrated SCADA security for SCADAPack E RTU devices.

Audience

This document is for use by product users, system designers, and SCADA security administrators. It is recommended that you have an understanding of DNP3 Secure Authentication and AGA12 Encryption.

Scope

This document contains user information as well as technical reference information. For information on configuring the Security features, refer to the SCADAPack E Security Administrator User Manual and SCADAPack E Configurator User Manual.

See the following for more information:

Standards

Operational Goals, Functionality Summary, & Standard RTU Operation SCADAPack E RTU Security

Licensing Key Management

User-based Authentication

Platforms

The following controllers support AGA12 Encryption security and DNP3 Secure Authentication:

SCADAPack 300E Controllers

SCADAPack ES SCADAPack ER

SCADAPack E Security Components

The SCADAPack E security components include the following: Security Administrator license file

Security Administrator project file Controller Security configuration file SCADAPack E Configurator Security file

13 15 17 27 28 33

(13)

5.1 Standards

Standards

Security recommendations and standards of interest to utility sector markets include: IEC 62351

DNP3 Secure Authentication AGA12 suite

The DNP3 Secure Authentication and AGA12 standards each aim to solve different security conditions. DNP3's use of IEC62351 focuses on Authentication while AGA12 focuses on Encryption.

It is widely regarded that a combination of encryption and authentication services would provide optimum protection scenarios for SCADA protocols.

IEC 62351 Standard

IEC 62351 standard specifies authentication of SCADA data transfer using digital signatures. The objectives of this standard include providing only authenticated access, stopping eavesdropping, spoofing, and playback, as well as intrusion detection. The security design specified in this standard is integrated within a SCADA protocol, requiring end-to-end implementation in order to operate.

DNP3 uses the IEC 62351 standard for Secure Authentication.

DNP3 Secure Authentication

DNP3 Secure Authentication specification is based on authentication and challenge principles. These security principles have been in place since the advent of dial-up Internet connections. These principles include Hashed Message Authentication Code (HMAC)HMAC is a calculation performed on a message. DNP3 authentication performs an HMAC on each critical message to authenticate it., in other words, prove that you are who say you are by requiring challenge-reply, a common mechanism to stop replayA replay attack is a form of network attack in which a valid data transmission is maliciously or fradulently repeated or delayed. attacks. DNP3 Secure Authentication also incorporates security "key"

technology.

DNP3 Secure Authentication is designed to protect only actions that are deemed critical. This conserves bandwidth and results in only minor processing results. DNP3 Secure Authentication uses protocol Application Layer authentication when issuing the challenges, for example, controls or configuration changes. A 'signature' in the form of a security key prevents tampering but does not include data encryption. See How does AGA12 Work? for information on encryption.

See the following for more information on DNP3 Secure Authentication:

What is DNP3 Secure Authentication?

How does DNP3 Secure Authentication Work?

AGA12 Suite

The AGA12 suite includes specific designs and reference applications for use with DNP3 as well as other SCADA protocols. AGA12 is designed to operate outside of existing SCADA protocols (specifies an additional protocol wrapper) so it s adaptable for implementation on existing systems and new

22

18

(14)

systems. External devices can be used to provide security. Typically sessions between a device external to a Master Station (e.g. gateway or other bump-in-the-wire device) and Outstations (RTUs) are secured. The IEEE is currently running projects to define AGA12 as part of substation communication security.

See the following for more information on the AGA12 suite:

What is AGA12?

How does AGA12 Work? Using AGA12 Security

20

22

(15)

5.2 Operational Goals, Functionality Summary, & Standard RTU Operation

Operational Goals

The operational goals of the SCADAPack E RTU’s integrated security are to provide: Message integrity protection

Defense against injection, modification, splicing, replay, reordering (but not Denial of-Service, although it avoids making this worse)

Authentication Confidentiality

Minimal number of messages additional to the SCADA messages, e.g., initiating sessions only when SCADA units send a message the first time, no retries and no keep-alive messages

Functionality Summary

The Integrated Security functionality provided by the SCADAPack E RTUs includes Secure Authentication with optional, integrated user credentials and maintenance software security.

Protection is provided on DNP3 communication ports operating on short-range (local) and long-range (remote) links.

DNP3 Secure Authentication is provided to v2 of the DNP User Group Secure Authentication standard. AGA12 Encryption for DNP3 is provided to the AGA12-2 recommendations.

DNP3 Secure Authentication and AGA12 Encryption security on SCADAPack E RTUs applies only to DNP3 communications. The following SCADAPack E RTU communications media support security:

DNP3 RS232 serial ports

Hayes Modem dial-up connections (DNP Secure Authentication only) DNP3 RS422 serial ports

DNP3 RS485 serial ports

DNP3 / IP communications (TCP and UDP), including Ethernet, PPP, GPRS, 1xRTT, etc. USB local connection (SCADAPack 300E controllers only)

Security is a licensed feature of SCADAPack E RTUs. When the controller is licensed for Encryption AGA12 or Authentication SAv2, security operation is activated when a security configuration file is loaded in to the device. The security configuration file is generated by the SCADAPack E Security Administrator application.

Standard RTU Operation

Secure communications is enabled on a device when a security configuration has been loaded on the RTU for the first time.

If a security configuration has not been loaded in to an SCADAPack E RTU, security will not be active on its DNP3 ports, and the RTU operates in its standard (non-secured) way.

I.e. communications will operate as standard DNP3 on DNP communication ports until a security configuration is loaded for the the first time. When operating this way, the RTU ports are referred to as

(16)

(17)

5.3 SCADAPack E RTU Security

What is DNP3 Secure Authentication? What is DNP3 Secure Authentication?

How does DNP3 Secure Authentication Work? What is AGA12?

How does AGA12 Work?

Supported AGA12-2 Functionality

How do AGA12 encyption and DNP3 Secure Authentication Work? Highlights of SCADAPack E RTU Security

18 18 18 20 22 22 24 24 24

(18)

5.3.1 What is DNP3 Secure Authentication?

DNP3 Secure Authentication is a bi-directional protocol that adds data integrity protection and user and device authentication, resulting in protection between master stations (HMI, control servers), outstations (PLCs, RTUs, IEDs) and Configuration software using the DNP3 protocol.

SCADAPack E RTUs support DNP3 Secure Authentication to the DNP User Group Secure Authentication Specification v2.00

For more information, see:

How does DNP3 Secure Authentication Work? 5.3.2 How does DNP3 Secure Authentication Work?

DNP3 protocol specifies data link, transport, and application layers. DNP3 Secure Authentication operates at the application layer. This means that DNP3 transactions are secured from end to end through a system regardless of the communications protocol specified (TCP/IP, UDP/IP, serial) and independent of the presence of communications gateways, routers, etc. It also means DNP3 can be secured in hybrid networks, for example, through TCP/IP then to serial communications.

DNP3 Secure Authentication takes place in three scenarios:

Initialization Periodic

Critical Function Code Requests

Initialization

When initiating a session, DNP3 Secure Authentication authenticates that the master station and outstation are who they claim to be. This scenario is designed to prevent spoofing, replay, and other forms of cyber attacks. This is accomplished using a unique session key (dynamic) derived from the pre-shared secret keys known by both devices (static Update key).

Periodic

Once a session is established, the master station and outstation periodically verify again who they claim to be to prevent hijacking and other attacks. The default SCADAPack E authentication period is 30 minutes. The maximum periodic authentication period is 14 days. A new (dynamic) session key is generated and exchanged during each periodic update.

Critical Function Code Requests

Messages that are regarded as "critical" operations are challenged by the receiver, asking the requester for security credentials. The receiver needs to gain confidence that the requester is who he says he is, before proceeding to perform the request.

Both non-critical and critical message transactions are shown in the picture to illustrate the difference between the unchallenged message, whose operation is the same as the standard DNP3 protocol without security, and the challenged message that utilizing the DNP3 Secure Authentication mechanism.

18

(19)

See Challenged Functions for a list of the critical function codes challenged by the SCADAPack E RTU.

Further transaction scenarios are detailed in the DNP3Specification Volume 2 Supplement 1

- Secure Authentication document available to DNP User Group members. See www.dnp.org

Use of Security Keys

DNP3 Secure authentication uses a cryptographic key technically known as the "Update Key"

for securing messages. This static key is the pre-shared "secret" between a master device

and the outstation device.

From the Update key, a dynamic "Session Key" is created that protects critical operational

data. A summary of this data flow is shown in the following picture.

(20)

This data flow applies to DNP3 security initialization

, periodic

key changes and

challenged critical requests

.

Aggressive Mode

The data flow described in the above picture also applies to DNP3 Aggressive Mode

transactions.

Once security credentials are established through a previous critical request

, aggressive

mode allows the challenge data to be appended to the critical request message without

having to go through the full challenge / reply exchange, as shown in the following picture.

5.3.3 What is AGA12?

The American Gas Association (AGA), in a project for the Gas Technology Institute, formed a working group to develop a cryptography standard to protect SCADA data communications from cyber attacks. The working group developed AGA12, which is a suite of cryptography standards that recommend how to achieve this.

The AGA12 standard consists of four documents. Each document addresses different aspects of SCADA data transmission protection. AGA12-2 details the requirements to build interoperable

cryptographic modules to protect SCADA communications for low-speed legacy SCADA systems and maintenance ports. AGA12-2 is one component of cryptographic protection for SCADA communications. AGA12-2 specifically defines a protocol (SSPP) for use in establishing connection, transporting,

encrypting and signing serial SCADA protocols including DNP3. It also defines its operation on a device known as a SCADA Cryptographic Module (SCM).

AGA12 includes specific designs and reference applications for use with DNP3 as well as other SCADA protocols. AGA12 is designed to operate outside of existing SCADA protocols because AGA12

specifies and additional protocol wrapper. It is adaptable to implement on existing systems and new systems.External devices can be used to provide security. Typically sessions between a device external

18 18

18

41

(21)

to a master station, for example, gateway or other bump-in-the-wire device (BITW) and outstations (RTUs) are secured.

SCADAPack E RTUs support AGA12-2 protocol through a Virtual SCADA Cryptographic Module (SCM), integrated with the various operational aspects of the RTU. The implementation adheres to the AGA12-2 recommendations and inter-operates with the AGA12-2 reference application. It is for interoperabilitye with other AGA12-2 compliant devices.

See the following sections for more details:

How does AGA12 Work? Using AGA12 Security

22

(22)

5.3.4 How does AGA12 Work?

The AGA12 suite uses cryptography to protect SCADA communications. Essentially, it provides a means to take clear text messages and convert them into unintelligible forms (ciphertexts) using a secret number. These encrypted messages can be sent over an insecure connection without the threat of interception and being read by a user or device other than that to which the message was sent. Once the message arrives at its secure location, it is deciphered using the same secret number. This secret number is called a key. The figure below illustrates how an AGA12 message is handled during the encryption and decryption processes:

AGA12 incorporates security key technology. This technology is based on open cryptography

standards, for example, AES encryption. As well as encrypting data content with security keys, AGA12 validates connections between users using secret keys. The use of these keys allows AGA12 to protect messages by authenticating partner devices and randomizing transactions between the devices. AGA12 defines a device as a SCADA Cryptographic Module (SCM).

For more details on how AGA12 works, see:

Description of Security Facilities Using AGA12 Security

5.3.5 Supported AGA12-2 Functionality

Notable AGA12-2 standard functionality provided in the SCADAPack E RTU includes:

SSPP (SCADA Security Protection Protocol): The ‘SCM address’ is equated with the existing ‘DNP3 node address’ to reduce configuration effort. The SCADAPack E RTU routing architecture already requires uniqueness. DNP3 provides node addresses in the range 0-65520. SSPP allows SCM addressing in the range 1-65535. The unique address range that should be used for DNP3 / SCM addressing is: 1-65520. A limited ability to override a destination SCM address is provided, primarily to permit AGA12 Gateway operation (i.e. the destination of RTU messages is typically the Master Station DNP3 address and is different from the SCM address of the AGA12 Gateway).

Ciphersuites (encryption algorithm / hash algorithms) supported are: AES128-CTR / HMACSHA-1 (suite 1)

AES128-CTR / HMACSHA-256 (suite 4)

Suite 1 uses 128-bit encryption with 160-bit verification signing, while suite 4 uses 128-bit encryption with 256-bit verification signing. Suite 4 provides better security but more computation.

35

(23)

Concurrent mixed mode operation of cleartext DNP3 protocol and AGA12-2 SSPP protocol on the same link, for DNP3 (& SSPP) routing and AGA12 Gateway operation.

Static session negotiation for dynamic session exchanges (standard AGA12) Dynamically changing on-air keys for maximum protection

Association numbers, Session ids, validity time windows (standard AGA12)

Fixed signaling character and byte-stuffing characters (as per AGA12-2 reference application for DNP3)

Counterpart List detailing nodes permitted to interact with this node, key definitions, time windows Communication synchronization to re-establish AGA12 sessions following expiry of sessions (standard AGA12 feature)

Omissions

The SCADAPack E RTU does not currently provide the following AGA12-2 facilities:

Selection of AES128-CBC mode (Cipher Block Chaining) and session establishment BEG message [AGA12-2 changes from March 2006]. These will be supported in a future version of the SCADAPack E RTU.

Selection of AES128-PE (low SCM latency, high computation variant of AES encryption). This

methodology is useful for SCM “bump in the wire” external devices to minimize re-transmission latency. This is not a consideration where systems deal with only remote SCADAPack E RTU’s Virtual SCM devices, as there is no serial retransmission of cleartext messages. Where the SCADAPack E RTU AGA12 Gateway transmits cleartext data, this is typically at a higher data (e.g. via Ethernet). AES128-PE may be supported in a future version of the SCADAPack E RTU.

Selectable signaling characters and byte-stuffing characters. These are not available for user configuration, rather fixed as per the description in Section Fixed AGA12-2 Parameters .

BROADCAST or MANAGEMENT dynamic or static session data. Management session handling may be provided in a future version of SCADAPack E RTU.

SCM Bank support (for modem banks)

Instruct an SCM to establish a dynamic session – manually forcing a session to open to another SCM device is not supported

RCA, CAR commands (address request & response) are not supported by the SCADAPack E RTU Optimization of SSPP operation for PSTN and other long-connection-establishment media. This may be provided in a future version of SCADAPack E RTU.

(24)

5.3.6 How do DNP3 Secure Authentication and AGA12 Encryption Work together?

When used together, AGA12 provides the encryption and session validation security facilities,

while DNP3 Secure Authentication provides the challenge-reply authentication security

facilities. Both AGA12 and DNP3 Secure Authentication standards are relevant to DNP3

communications and SCADAPack E RTUs.

To suit retrofit of existing systems, AGA12 and DNP3 Secure Authentication can be

configured without affecting the control system infrastructure and without an interruption in

the system's operation. Retrofits can be achieved without compromising communications

between the RTUs and master stations.

5.3.7 Highlights of SCADAPack E RTU Security

For security management, a Security Administrator application allows the creation of a security management collection, containing security configuration for a whole system. It can generate Master Key file, RTU security configuration files, and SCADAPack E Configurator security files. These can be written directly to a media interface.

Generally system security is setup in the following ways:

1) have unique security keys for each remote RTU that communicates only with the master station host (most secure), or

2) have a common security key across a Group of controllers that interact together or are in some collection with the master station host (e.g. Northern RTU sites). Different groups have unique security keys (pretty good security)

3) have a common security key across a whole system, i.e. one Group (most convenient, but least secure)

Option 1 has the benefit that someone learning one key does not have access to the whole system. Similarly, Peer nodes can be restricted as to what other Peer nodes they can talk to. This provides maximum security but means additional management of keys.

Option 3 is simpler to manage, but if the common key becomes known, all RTUs are compromised. Option 2 is a compromise offering pretty good securty, but may be necessary where there is interaction between peer RTUs (for example). SCADAPack E DNP3 Secure Authentication or AGA12 Encryption requires that all interacting devices share the same keys (e.g. RTU 1 & 2 communicate Peer-to-peer, both talk to a master station host. All 3 devices need to use the same key in this case).

Licensed RTUs can operate as end-nodes receiving AGA12 encrypted DNP3 frames and responding with AGA12 encrypted DNP3 frames. Similarly they can operate send and receive DNP3 Secure Authentication messages.

RTUs can be DNP3 and AGA12 routers on any communications media. No special configurations are required for this. A router passes on AGA12 frames or DNP3 secure authentication frames. This is particularly useful for wide area radio networks.

SCADAPack E RTUs also support encryption of Unsolicited, Peer DNP3 and DNP3 Master (data concentrator) transmissions with both DNP3 Secure Authentication and AGA12 encryption security.

(25)

Remote configuration of security parameters can be granted through the Security Administrator to allow security configuration files to be loaded remotely. This feature can be disabled for increased security protection. In this case it is only possible to configured security through the following mechanisms:

- Compact Flash card plugged in to SCADAPack ES or SCADAPack ER RTUs (with security configuration files loaded)

- via SCADAPack E Configurator to SCADAPack 300E via USB peripheral communications Configuration files containing the security keys and other security parameters can be put on a media interface for direct deployment to RTUs (e.g. Compact Flash card for SCADAPack ES / SCADAPack ER), USB memory stick for loading to a controller by SCADAPack E Configurator, etc). Depending on the arrangement of RTU groups, this allows multiple RTUs to be configured from the same single media (“Security Key”). In the case of SCADAPack ES / SCADAPack ER, a Compact Flash card could be plugged in & removed from each RTU in the same Group in turn.

DNP3 Secure Authentication diagnostics and AGA12 Diagnostics are available through the

SCADAPack E RTU diagnostic mechanisms (serial diagnostic port, Telnet, diagnostic file capture).

DNP3 Secure Authentication

A mixture of unsecured DNP3 devices and DNP3 Secure Authentication devices can coexist on the same network. The Master station needs to be aware of the configuration requirements of individual devices, which includes security configuration.

SCADAPack E Configurator can communicate directly to devices configured with DNP3 Secure Authentication, providing the SCADAPack E Configurator node and user is authorized (configured by the Security Administrator and loaded to devices).

Where both AGA12 and DNP3 Secure Authentication is configured, communication from SCADAPack E Configurator nodes connected remotely on the network can optionally require SCADAPack E Configurator nodes and users to be authorized, but requires communications to be routed via an AGA12 Gateway RTU.

SCADAPack E Configurator Security can be setup in a number of ways:

A) optionally require the use of individual Username / Password logins to authenticate with RTUs. Username/password lists are configured in all RTU devices in this case.

B) Choose one of three SCADAPack E Configurator Security modes:

B.1) Default Key mode - where the Configurator and RTUs will communicate out-of-the-box (most convenient but least secure)

B.2) Common Key mode - where a new key is provided to all Configurators and all RTUs, disabling the user of the Default Key and configuring a single specific key (convenient with better security) B.3) Unique Key mode - where all Configurators have an individually unique key and all RTUs are aware of the authorized configurators (best security)

AGA12 Encryption

SCADAPack E RTUs support defining a SCADA Cryptographic Module (SCM). This AGA12 functionality is integrated with the RTU’s serial port communication drivers, DNP3 stack, and IP stack.

To provide AGA12 encryption features or DNP3 Secured Authentication, a controller feature licence

needs to be installed.

RTUs can be setup to operate in AGA12 GATEWAY mode, receiving cleartext DNP3 and encrypting to AGA12 prior to transmission on a communications channel. Conversely a gateway can receive

(26)

encrypted DNP3 response frames and decipher them to cleartext DNP3 for transmission back to the requester. Typically this gateway mode is used via serial or network links for host system

communications. Gateway mode can be used for central maintenance access to remote RTUs and for DNP3 masters not supporting integrated AGA12 functionality.

Communication networks can operate in AGA12 MIXED MODE as described by the AGA12-2 standard, allowing a mixture of cleartext DNP3 and encrypted AGA12 frames to operate on the same network. Gateways setup to operate in MIXED MODE allow the user to decide if the risk profile for some RTU's indicates they aren't worth securing and therefore can continue to run in cleartext DNP3. This also allows systems to be transitioned from cleartext DNP3 to secure AGA12 systems in a planned migration strategy.

Encrypted data is supported on multiple communications media: direct serial / keyed serial / Ethernet (UDP / TCP) / GPRS / 1xRTT. AGA12 Encryption for PSTN is not currently supported in SCADAPack E RTUs. DNP3 Secure Authentication can operate with PSTN communications. Every RTU configured with AGA12 security provides a Local Access port. The provides

communication using cleartext DNP3 - this is primarily for use of SCADAPack E Configurator, but may also be used by other devices locally [securing this port is a physical security issue]. All other RTU DNP3 ports are AGA12 encryption protected (for routing, backup links, etc) when AGA12 security is configured.

SCADAPack E Configurator and other package(s) using DNP3 protocol can communicate with remote protected RTUs through a central AGA12 Gateway RTU.

(27)

5.4 Licensing

To license either DNP3 Secure Authentication or AGA12 Encryption for DNP3, you need a controller feature licence. Typically, this is done when the controller is purchased, although a controller feature licence can be purchased and added at a later time. The controller feature licence file is deployed using SCADAPack E Configurator.

For more information on licensing RTUs, see the SCADAPack E Telemetry Operational Reference manual.

(28)

5.5 Key Management

SCADAPack E Configurator Key Mode Configurator Key Mode

Compact Flash Entry and UTIL LED Local USB Configuration

29

31

(29)

5.5.1 SCADAPack E Configurator Key Modes

There are three modes for security keys when securing access from SCADAPack E Configurator to SCADAPack E controllers. These modes are:

Default Key Mode

The default key mode is the easiest option to use and maintain. The disadvantage of using a default key is the same as its convenience: it works out-of-the-box, and so it provides the weakest level of security. The advantage of this mode is that there is no need to manage Configurator security files because the secret key is known by SCADAPack E controllers and SCADAPack E Configurator, by default. It does help with protecting against external attempts to access the protocol, but not against copies of the SCADAPack E Configurator software. This mode does, however, still allow user-based authentication to be selected in SCADAPack E Configurator and the controller as a separate layer of security.

The default key mode is provided for simplifying initial access to controllers, however it is strongly recommended that you not use the factory default key mode in field installations.

Common Key Mode

To simplify key management for small systems, the common key mode provides more security than the default key mode. The common key mode requires that the same Configurator security configuration file be deployed to every instance of SCADAPack E Configurator. The advantage of this is that it means you only have to maintain one key for all of your SCADAPack E Configurator installations. The disadvantage of this is that if a laptop with SCADAPack E Configurator is compromised, the security configuration files needs to be updated on all instances of SCADAPack E Configurator, as well as on every controller that is associated with SCADAPack E security features.

The common key is generated as part of the Security Administrator project settings. Like the default key and unique key modes, this option does allow user-based authentication in SCADAPack E Configurator and the controller.

Unique Key Mode

The unique key mode provides the highest level of security. Each instance of SCADAPack E

Configurator is identified using a specific security configuration file. This file is tied to a Machine ID to restrict operation of the software to authorized PCs only. You can add, edit, or remove instances of SCADAPack E Configurators from the system, but similarly needs to update every controller with revised settings. The Security Administrator generates a unique security key for each instance of SCADAPack E Configurator.

An advantage of using this mode over the common key mode is that if a laptop is compromised, there is no need to update the security configuration file for each instance of SCADAPack E Configurator. You can remove the compromised SCADAPack E Configurator from the Security Administrator and new controller security configuration files can be generated and deployed to the RTUs.

5.5.2 Master Key Configuration

The security infrastructure is designed so that master keys are deployed once during the

lifetime of a system from the Security Administrator application to controller devices.

It is highly recommended that a trusted individual responsible for system security deploy the

master keys to controller devices before releasing them for field installation.

(30)

Copies of the master key file need to be removed from portable media and devices following

deployment. To ensure the integrity of the security system, you need to take all possible

steps to keep the password phrase, master key file, and its deployment secure.

To deploy a generated master key file to SCADAPack ES or SCADAPack ER controllers, you

need to do so from a CompactFLASH card. You cannot deploy it from the Security

Administration application.

To deploy a generated master key file to a SCADAPack 300E controller, you need to use

SCADAPack E Configurator through the USB peripheral port.

The master key contains the security boundary for RTUs and security administration for one

organization or a part of an organization. What the master key does is that it customizes the

controller security configuration file that the Security Administrator generates so that the file is

system or organization specific. The RTU reads this information.

If required, the Security Administrator can generate new master keys. This is done by

entering a new pass phraseUsing a one-way has function to transform an arbitrary length test

string ito a psuedo-random bit string is a technique called key crunching. The text string is

often referred to as a pass phrase (sometimes written as passphrase). The reason for using

passphrases is the avoidance of ever recording un-encrypted keying information, to prevent

its compromise. . It is a critical piece in the security chain and needs to be kept secret.

Whenever you enter the pass phrase, you need to enter it exactly the same each time.

(31)

The pass phrase is stored on the security administration computer independently of the

Security Administrator project. The pass phrase needs to be re-entered on every Security

Administrator you have installed.

In addition, the Security Administrator provides the means to export a master key file. The

master key file is called system.key.

When you choose to generate a new master key, you will need to update the master key

locally at each RTU device using this key (as described above and shown in the picture).

5.5.3 Compact Flash Entry and UTIL LED

Using Compact Flash to load security configuration is supported by the following RTU hardware: SCADAPack ES

SCADAPack ER

Security Configuration for these devices can be loaded from a file on the plug-in media “security key” (i.e. CompactFlash card). Insertion of a card in to the SCADAPack E RTU is automatically detected.

If security is licensed on the RTU, the media root directory is checked for the security configuration file: SYSTEM.RTK

If the RTU does not find this file, the RTU encryption information remains unchanged.

Like KEYS for a door or any other form of security, safe-keeping and distribution of AGA12 keys is necessary.

UTIL LED

The SCADAPack ES and SCADAPack ER RTU hardware includes a "UTIL" LED that indicates the state of a completed operation on the Compact FLASH Utility port.

Upon successfully loading a security configuration file from the Compact FLASH port the "UTIL" LED flashes alternately on and off at a steady rate for 5 seconds.

(32)

5.5.4 Local USB Configuration

The following RTU hardware allows the use of USB peripheral interfaces, locally, for security configuration entry:

SCADAPack 300E RTUs

Security Configuration for these devices can be loaded using the USB peripheral interface and

SCADAPack E Configurator, from a security configuration file generated by the Security Administrator. This file is called:

SYSTEM.RTK

Like KEYS for a door or any other form of security, safe-keeping and distribution of security keys is necessary.

SCADAPack E Configurator

For SCADAPack 300E RTUs, SCADAPack E Configurator provides a facility for loading the security configuration file through the USB interface. Use the Transfer > Load Security Config. File menu item to do so. It prompts you to choose the security configuration file.

(33)

5.6 User-based Authentication

This feature is only available when DNP3 Secure Authentication is licensed and configured.

To enhance security when multiple SCADAPack E Configurator users are present in a

system, the Controller Security configuration file can include a user list.

The SCADAPack E Security Administrator application allows configuration of users,

providing a list of the usernames (and passwords associated with the usernames). This is

configured in RTUs using the Group security configuration files.

The User-based authentication feature uses the SCADAPack E RTU to act as an

authentication server for access requests from SCADAPack E Configurator. When an

access request is received from the SCADAPack E Configurator, the RTU uses DNP3

Secure Authentication keys and the usernames and passwords.

When a user accesses a system using SCADAPack E Configurator with User-based

Authentication enabled, username and password credentials are entered into SCADAPack E

Configurator. The controller verifies that the username and password match the information

entered on the security configuration user list. When this information matches, the user is

authenticated and the action is permitted. If the information does not match, the controller

rejects the attempted action and SCADAPack E Configurator displays a message.

6 Telnet and FTP Authentication

The Telnet and FTP applications provided on SCADAPack E as part of the IP management suite can be insecure if not externally secured. This is because transmissions in these TCP/IP application protocols transmit their data, including usernames and passwords, in clear text .

It is strongly recommended that Telnet and FTP are DISABLED when not in use. Leaving these two applications enabled creates a security vulnerability if the remote IP connection to an RTU is not secured using another means.

To determine if your Telnet and FTP settings are enabled, check the SCADAPack E Configurator TCP/ IP property page.

7 Using SCADAPack E Security

The following sections describe configuration and the use of SCADAPack E security facilities. An individual RTU's security settings can be configured by plugging a media interface into the RTU, for example, a CompactFlash card (for SCADAPack ES and SCADAPack ER) or by direct location connection of SCADAPack E Configurator through a USB peripheral port, for example, for SCADAPack 300E RTUs).

Alternatively, the Security Configuration may permit it to be loaded remotely. This allows remote maintenance of security configurations from SCADAPack E Configurator and Master Station Host systems such as ClearSCADA.

See Section Security Administration for information on Security Administration and plug-in media.

Description of Security Facilities DNP3 Secure Authentication

9

69

35

(34)

AGA12 Encryption Security Considerations

44

(35)

7.1 Description of Security Facilities

In general terms, security facilities are provided using the following mechanisms:

a system using DNP3 Authentication is secured through Groups where a security key (Group's Common Key) is shared between outstations and the Master Station Host (requires DNP3 Secure Authentication at the master station);

a system using AGA12 is secured using SCM (SCADA Cryptographic Module) devices. In the case of SCADAPack E RTUs, a virtual SCM is integrated with the RTU (this operates via an AGA12 Gateway RTU independent of the master station);

a system using DNP3 Authentication and AGA12 Encryption concurrently is secured using an AGA12 Gateway RTU and Master Station Host supporting DNP3 Secure Authentication. The common Group key and AGA12 Encryption Key is used by the outstation and the AGA12 Gateway RTU. The Group key is used by the Master Station Host and RTUs.

The Security Administrator application is used to generate Security Configuration files for SCADAPack E controllers and SCADAPack E Configurator nodes.

(36)

7.2 DNP3 Secure Authentication

DNP3 Secure Authentication operates at the DNP3 Application Layer.

Where Master Station Host to RTU controller security is desired, the Master Station Host must natively support DNP3 Secure Authentication.

Licensing and enabling DNP3 Secure Authentication on the SCADAPack E RTU secures DNP3

interfaces (serial ports, Ethernet ports, USB on SCADAPack 300E RTUs), including communication with SCADAPack E Configurator software.

SCADAPack E RTUs support DNP3 Secure Authentication when operating as a Data Concentrator communicating with remote outstations.

SCADAPack E RTUs also support DNP3 Secure Authentication when operating with peer to peer communications with other outstations.

SCADAPack E Data Concentrator and Peer communication security relies on inter-communicating devices to be in the same security Group. i.e. use the same security keys to configure their

communication. For example, the same key value needs to be used at the Master Station host, data concentrator, remote RTUs, as part of the same Group.

DNP3 Secure Authentication operates using a Challenge / Response security model. Critical operations are challenged by a node when it receives a message to perform a critical operation.

Challenged Functions DNP3 Security Settings Aggressive Mode

Vulnerabilities Addressed 7.2.1 Challenged Functions

When DNP3 Secure Authentication is active on an SCADAPack E RTU, it challenges the mandatory DNP3 (critical) function codes and several of the DNP3 optional function codes. I.e. The RTU challenges the operation of a rejecter whenever it sends any of these function codes. (Requester could be a Master Station host, Data Concentrator, Peer device or Configurator tool).

36

38

41

(37)

The following DNP3 function codes are challenged by the SCADAPack E RTU when received from a Master device:

DNP3

Function

Code

2 Write

3 Select

4 Operate

5 Direct Operate

13 Cold Restart

14 Warm Restart

15 Initialize Data

20 Enabled Unsolicited Responses

21 Disable Unsolicited Responses

22 Assign Class

(38)

25 Open File

27 Delete File

7.2.2 Security Settings

A number of security settings can be adjusted by the Security Administrator for DNP3 Secure Authentication interoperability and security performance.

Security settings for the SCADAPack E controllers are set on the Security Adminstrator's Group page.

Allow Update of Security File

Common Key

This is the security key (static DNP3 Update Key) common to devices in this security Group. It can be generated by the Security Administrator application or generated externally and entered in this field on the Security Administrator.

Devices that use this key may include Master Station Host, Data Concentrators, Remote RTUs and IEDs, Peer RTU devices.

(39)

DNP3 Algorithms

HMAC

This is the security algorithm used for "signing" security messages to confirm they have not been tampered with. The setting of this field needs to be the same on each device using the Common Key . This setting applies to DNP3 interfaces on the SCADAPack E RTU.

Choose one of the algorithms:

SHA-1 truncated to 4 octets (serial) SHA-1 truncated to 10 octets (networked) SHA-256 truncated to 8 octets (serial) SHA-256 truncated to 16 octets (networked)

The SHA-256 algorithms are more secure than the SHA-1 algorithms but are more RTU processing intensive. Algorithms with more octets are more secure, but cause longer messages (using more bandwidth) for critical messages.

It is recommended to use one of the algorithms with a (serial) indicator where the primary communications interface protection is being deployed on is DNP3 serial ports.

It is recommended to use one of the algorithms with a (network ) indicator where the primary communications is a network interface (Ethernet, PPP, etc).

Key Wrap

This is the security algorithm used for encrypting the security exchanges that set the dynamic session key from the static DNP3 Update Key. The setting of this field needs to be the same on all devices using the Common Key .

Only the AES-128 algorithm is presently supported.

DNP3 Session Keys

These settings control how the session key regularly changes (also known as key rotation). Changing the session key is a very large part of security strategy. It stops large volumes of data using the same cryptographic parameters (which can lead to the ability to learn the session key).

Session keys will be renegotiated when either of the Change Interval or Change Count criteria is met. Whichever criteria is met first will cause the renegotiation, then checking for both criteria is restarted.

Change Interval

When enabled, this interval sets the time period for which the DNP3 dynamic session key is valid. After this time, the session key is renegotiated.

Change Count

This is the number of times a session key can be used before it is renegotiated.

38

(40)

DNP3 Aggressive Mode

Accepts Requests

Determines whether the controller will accept Aggressive Mode requests from a master device sending critical controls. If Aggressive Mode is disabled, then an aggressive mode request will the rejected by the RTU. The master should use, or be configured to use, standard challenge-reply security messages in this case. The setting of this field needs to be the same on each device using the Common Key . See Aggressive Mode for more information.

Issues Requests

Determines whether the controller will send Aggressive Mode requests when communicating as a DNP3 Master (e.g. Data Concentrator to remote outstations or IEDs, Peer-to-peer with another RTU). This setting applies to communications initiated by the RTU. If a remote device rejects an aggressive mode request, authentication will be unsuccessful. Disable the Aggressive Mode - Issues Requests setting if there are authentication issues. The setting of this field must be the same on all devices using the

Common Key .

See Aggressive Mode for more information.

Advanced DNP3 Options

Challenge Data Length

This sets the number of bytes of pseudo-random challenge data used in session key negotiation and authentication challenge messages.

The minimum length of challenge data is 4 octets. The maximum SCADAPack E length for challenge data is 40 octets. The larger the challenge data the better the security but the more overhead on security establishment and challenge messages.

The setting of this field needs to be the same on each device using the Common Key . This setting may be a global setting on some devices, thereby requiring a whole system to operate with the same value.

Session Key Length

The size of the dynamic session key used in session key negotiation and protecting critical message challenges.

The minimum length of session keys is 128-bits (16 octets).

The session key length can be selected from one of the following on the SCADAPack E RTU: 128-bits, 192-bits, 256-bits, 384-bits, 512-bits, 1024-bits.

The larger the session key the better security, but large session keys have more overhead on security establishment, and are more RTU processing intensive.

The setting of this field needs to be the same on each device using the Common Key .

Maximum Error Count

This sets the number of consecutive security conditions for which the SCADAPack E RTU will return errors. After this number of errors, security conditions are silently discarded. This mechanism attempts to alleviate denial of service issues.

38 41 38 41 38 38

(41)

In a noisy network environment it may be necessary to increase this count for consistent security exchanges. The higher this number the more prone the communications is to disruption if a device is subject to denial of service incident.

This setting affects only the RTU for which it is configured.

7.2.3 Aggressive Mode

Aggressive Mode is a security configuration, set by the Security Administrator. It is either

enabled or disabled.

It allows challenge data to be appended to a critical request message without having to go

through the full challenge / response exchange, as shown in the following picture. I.e. it is a

more efficient short-form method of providing authentication information in critical

transactions.

When enabled, Authentication mode is not used immediately. In conformance with DNP3's

use of the IEC62351

standard, security credentials need to first be confirmed between the

devices through a full authentication challenge / reply transaction. I.e. the first challenge of a

critical operation uses a full authentication challenge / response transaction exchange.

Subsequent critical

operations can then use aggressive mode.

13

(42)

It is equally secure to operate DNP3 Secure Authentication transactions with Aggressive

Mode enabled or disabled. It is more bandwidth efficient to operate with it enabled when there

are multiple controls issued in a single session.

A configuration option is provided for Aggressive Mode as a requirement of the IEC62351

standard.

(43)

7.2.4 Vulnerabilities Addressed

Outstation security modes can be changed remotely, for convenience, if so enabled. For highest security disable this in the SCADAPack E Security Administrator application. Security configuration then requires Physical Access.

Setting a Master Key requires Physical Access.

The RTU's general configuration file does not hold a copy of security information such as keys or security modes. Key configurations are stored in encrypted format.

When using Peer communications, security considerations are as needed as enabling secure

communication with a master station. In SCADAPack E, security configurations require peer nodes to use the same Common Key (e.g. configured by using the same Security configuration file).

Remote I/O communication is not authenticated. When the RTU uses Remote I/O and is connected to a DNP3 Secure Authentication network it is recommended that the Remote I/O not use this same

connection. For example:

The Main RTU uses the ETH 1 port for connection with the DNP3 Secure Authentication network and uses ETH 2 port for Remote I/O.

The Main RTU uses a serial for connection with the DNP3 Secure Authentication network and ETH 1 for Remote I/O.

SCADAPack E Security Technical Reference

Table of Contents

Part I Security Technical

4

I

Security Technical

©2013 Control Microsystems Inc.

All rights reserved.

Printed in Canada.

Version: 8.05.4

The information provided in this documentation contains general descriptions and/or technical

characteristics of the performance of the products contained herein. This documentation is

not intended as a substitute for and is not to be used for determining suitability or reliability of

these products for specific user applications. It is the duty of any such user or integrator to

perform the appropriate and complete risk analysis, evaluation and testing of the products

with respect to the relevant specific application or use thereof. Neither Schneider Electric nor

any of its affiliates or subsidiaries shall be responsible or liable for misuse of the information

contained herein. If you have any suggestions for improvements or amendments or have

found errors in this publication, please notify us.

No part of this document may be reproduced in any form or by any means, electronic or

mechanical, including photocopying, without express written permission of Schneider

Electric.

All pertinent state, regional, and local safety regulations must be observed when installing and

using this product. For reasons of safety and to help ensure compliance with documented

system data, only the manufacturer should perform repairs to components.

When devices are used for applications with technical safety requirements, the relevant

instructions must be followed. Failure to use Schneider Electric software or approved

software with our hardware products may result in injury, harm, or improper operating results.

Failure to observe this information can result in injury or equipment damage.

1

Technical Support

Support related to any part of this documentation can be directed to one of the following

support centers.

Technical Support: The Americas

Available Monday to Friday 8:00am – 6:30pm Eastern Time

Toll free within North America

1-888-226-6876

Direct Worldwide

+1-613-591-1943

Email

[email protected]

Technical Support: Europe

Available Monday to Friday 8:30am – 5:30pm Central European Time

Direct Worldwide

+31 (71) 597-1655

Email

[email protected]

Technical Support: Asia

Available Monday to Friday 8:00am – 6:30pm Eastern Time (North America)

Direct Worldwide

+1-613-591-1943

Email

[email protected]

Technical Support: Australia

Inside Australia

1300 369 233

Email

[email protected]

2

Safety Information

Read these instructions carefully, and look at the equipment to become familiar with the

device before trying to install, operate, or maintain it. The following special messages may

appear throughout this documentation or on the equipment to warn of potential hazards or to

call attention to information that clarifies or simplifies a procedure.

DANGER

WARNING

CAUTION

CAUTION

PLEASE NOTE

Electrical equipment should be installed, operated, serviced, and maintained only by qualified

personnel. No responsibility is assumed by Schneider Electric for any consequences arising

out of the use of this material.

A qualified person is one who has skills and knowledge related to the construction and

operation of electrical equipment and the installation, and has received safety training to

recognize and avoid the hazards involved.

BEFORE YOU BEGIN

Do not use this product on machinery lacking effective point-of-operation guarding. Lack of

effective point-of-operation guarding on a machine can result in serious injury to the operator

of that machine.

CAUTION